Privacy Notice EEA
Last updated: June 1, 2026
NOTICE EFFECTIVE DATE: JUNE 26, 2026
1. INTRODUCTION
Thank you for visiting OKX.com or the OKX app (the “Site”). For residents of one of our approved operating locations within the European Economic Area (“EEA”), your use of the Site is being facilitated by OKX Europe Limited, a Malta limited liability company (C88193) with a registered address at Piazzetta Business Plaza, Office Number 4, Floor 2, Triq Ghar il-Lembi, Sliema, SLM 1562, Malta
OKX, as a/the data controller, provides this Privacy Notice Statement (the “Privacy Notice”) to describe our practices regarding the collection, storage, use, disclosure, and other processing of Personal Data (defined below). By visiting, accessing, or using the Site and associated application program interfaces or mobile applications, you (a) acknowledge that you have the right, capacity, and authority to accept this Privacy Notice; (b) acknowledge that you have read and understand this Privacy Notice; and (c) consent to the policies and practices outlined in this Privacy Notice. So please read them carefully to understand what we do.
This Privacy Notice explains what data we collect, why we collect it, how such data is used and stored, how such data may be shared by us, rights you may have, and how you can contact us about our privacy practices. If you do not wish for your Personal Data (as defined below) to be used in the ways described in this Privacy Notice, you should not use the Site or any services, software, API (application program interface), technologies, products and/or functionalities offered by this Site (collectively, the “Service(s)”).
2. DEFINITIONS
Term | Definition |
Personal Data | Any information relating to an identified or identifiable natural person, including name, ID number, location data, online identifier, or factors specific to the physical, economic, cultural, or social identity of that person. Does not include anonymised data (GDPR Art. 4(1)). |
Sensitive / Special Category Data | Personal Data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data (for identification), health data, or data concerning sex life or sexual orientation (GDPR Art. 9). |
Biometric Data | Personal data resulting from specific technical processing relating to physical, physiological, or behavioural characteristics of a natural person that allows or confirms their unique identification (GDPR Art. 4(14)). |
Profiling | Any form of automated processing of Personal Data to evaluate, analyse, or predict personal aspects, including economic situation, behaviour, preferences, or risk profile (GDPR Art. 4(4)). |
Entity-Matching | The process of determining, with a high degree of confidence, whether individuals who have submitted different identity credentials to different OKX Group entities are the same individual, for the purposes of AML/CFT group-wide controls. |
Customer Risk Rating (CRR) | An internal risk classification assigned to a customer based on KYC, transaction monitoring, PEP/sanctions status, and other due diligence factors. |
3. PERSONAL DATA WE COLLECT
OKX collects Personal Data you provide directly, data collected automatically through your use of our Services, and data received from third parties.
Data You Provide
Identity and contact: full name, email, telephone, date of birth, nationality, residential address, government-issued identification documents.
Institutional (business accounts): corporate legal name, registration number, proof of legal existence, beneficial owner information, business description, source of funds / wealth.
Commercial information: data related to transactions conducted on the OKX Platform.
Financial: bank account details, source of funds, assets and liabilities.
PEP and sanctions: information about whether you or a close associate holds a prominent public function.
Correspondence: communications with Customer Support, survey responses, chat logs.
Optional profile: avatar, display name, nickname.
Data Collected Automatically
Technical identifiers: IP address, MAC address, device fingerprint, unique device identifiers, operating system, browser type and version.
Usage and behavioural: session data, clickstream, page interaction signals, approximate geolocation derived from IP address.
Application data: information about applications installed on your device where necessary to detect malicious software or device compromise.
Data Received from Third Parties
Identity verification: from processor(s) Sumsub, including biometric data - see Section 11.
AML / fraud: from sanctions screening, PEP database, and fraud intelligence providers (including Refinitiv World-Check, Dow Jones Risk & Compliance, Moody’s).
Payment: from banks and payment processors, including your name, account details, and transaction information.
Referral: from referrers, affiliates, and marketing partners.
AML/CFT Data Shared Within the OKX Group (Multi-Entity Customers)
If you hold accounts with more than one OKX Group entity, authorised Compliance personnel (including Money Laundering Reporting Officers) may share Personal Data about you between entities in specific elevated-risk scenarios described in Section 8. Categories of data that may be shared include identity and verification data, risk and compliance data (CRR, PEP/sanctions status, transaction monitoring alerts), biometric entity-matching data, and device and technical data.
4. UNSOLICITED PERSONAL DATA
We may receive unsolicited Personal Data about you. We destroy or de-identify all unsolicited Personal Data we receive unless it is relevant to the purposes stated in this Notice or otherwise required by applicable law. If we retain such data, it is held in the same way as your other Personal Data.
5. LEGAL BASIS FOR PROCESSING - PURPOSE-to-BASIS MAPPING
We process Personal Data subject to the GDPR on one or more of the following legal bases:
Processing Purpose | Legal Basis | Data Categories |
Account creation, onboarding, KYC, and provision of Services | Contract performance (Art. 6(1)(b)) | Identity, financial, verification, transactional |
AML/CFT compliance, sanctions screening, PEP checks | Legal obligation (Art. 6(1)(c)) | Identity, financial, PEP, biometric, transactional |
Intra-group AML/CFT data sharing (multi-entity customers) | Legal obligation; Legitimate interest (Arts. 6(1)(c), 6(1)(f)) | CRR, risk indicators, sanctions matches, account status |
Biometric entity-matching across group entities | Substantial public interest (Art. 9(2)(g)) | Facial geometry, biometric confidence scores |
Fraud detection and platform security | Legitimate interest (Art. 6(1)(f)) | Device data, IP, behavioural signals, transactional |
Regulatory reporting, tax compliance, STR/SAR filing | Legal obligation (Art. 6(1)(c)) | Identity, financial, transactional, risk data |
AI-driven risk scoring and automated account decisions | Legal obligation; Legitimate interest (Arts. 6(1)(c), 6(1)(f)) | Behavioural, transactional, identity, device data |
Customer support | Contract performance; Legitimate interest (Arts. 6(1)(b), 6(1)(f)) | Identity, correspondence, transactional |
Service improvement, analytics, product development | Legitimate interest (Art. 6(1)(f)) | Usage, browser/log data, correspondence |
Direct marketing communications | Consent (Art. 6(1)(a)) | Name, email, communication preferences |
Non-essential cookies and behavioural tracking | Consent (Art. 6(1)(a)) | Device identifiers, browsing behaviour, IP |
Biometric identity verification (onboarding) | Explicit consent (Art. 9(2)(a)) | Facial geometry, liveness detection data |
Legal proceedings and defence of claims | Legitimate interest (Art. 6(1)(f)) | All relevant categories |
6. HOW WE USE YOUR PERSONAL DATA
In addition to the purposes mapped in Section 5, OKX uses your Personal Data to:
Administer your account, process transactions, and deliver requested Services;
Comply with applicable legal and regulatory obligations, including AML/CFT, sanctions, and tax reporting;
Detect, investigate, and prevent fraudulent transactions, unauthorised access, and prohibited activities;
Communicate with you about your account, material changes to our Services, and legal or operational notifications;
Improve our platform, develop new products, and conduct internal analytics and research;
Conduct group-wide AML/CFT risk assessment for multi-entity customers (see Section 8);
Send you marketing communications about OKX products and Services, with your prior consent.
Sensitive / Special Category Data will be used only for the purpose for which it was provided or a directly related secondary purpose, unless you explicitly consent otherwise or a statutory exemption applies.
7. AUTOMATED DECISION-MAKING, PROFILING, AND ENTITY-MATCHING
OKX uses automated processing and AI-driven systems for the following purposes that may have significant effects on your account. In all cases where automated processing produces a result that may significantly affect your account or relationship with OKX Group, that result is subject to mandatory review by a trained human Compliance or CDD officer before any consequential action is taken.
System / Purpose | Data Inputs / Logic | Potential Effect | Human Review |
KYC Identity Verification | Document analysis, liveness detection, cross-reference against sanctions and fraud databases (Sumsub). | Account activation delayed, restricted, or declined. | Mandatory before final decision. |
AML Transaction Risk Scoring | Transaction patterns, counterparty data, source of funds, PEP status, jurisdictional risk, behavioural signals to assign Customer Risk Rating (CRR). | Enhanced due diligence, transaction limits, or suspension of withdrawals. | Mandatory MLRO review for material CRR changes. |
Sanctions Screening | Cross-reference against OFAC SDN, EU Consolidated List, UK HM Treasury, and other designated persons lists. | Account restriction, freeze, or STR/SAR filing. | Mandatory human review of potential matches. |
Fraud Detection | Anomaly detection on account activity, login patterns, device fingerprinting, and behavioural signals. | Temporary account restriction or suspension pending manual review. | Mandatory review before permanent action. |
Biometric Entity-Matching (Multi-Entity) | Facial geometry and biometric confidence scores compared across OKX Group entities. Results are confidence indicators only. | Elevated group-level risk assessment; possible CRR revision. No account action solely on automated matches. | Mandatory CDD team review of all confidence factors before confirming a match. |
Your Rights Regarding Automated Decisions
Where an automated decision produces a legal or similarly significant effect on you, you have the right to: (a) request human review by a qualified OKX employee; (b) express your point of view and provide additional information; and (c) contest the decision and request reconsideration. Contact privacyoffice@okx200.com with subject ‘AUTOMATED DECISION REVIEW REQUEST’.
EU AI Act Transparency
Certain AI systems deployed by OKX are classified as high-risk under Annex III of the EU AI Act (Regulation 2024/1689), including systems used for biometric identification and AML/fraud risk scoring. OKX has put in place conformity assessments and Fundamental Rights Impact Assessments to meet our compliance obligations.
8. AML/CFT INTRA-GROUP DATA SHARING (MULTI-ENTITY CUSTOMERS)
The Information-Sharing Framework
Group entities are required to implement group-wide AML/CFT policies and procedures, including procedures for the sharing of information within the group where relevant for customer due diligence and transaction monitoring. In accordance with this obligation, authorised OKX Group Compliance personnel (including Money Laundering Reporting Officers (MLROs)) may share Personal Data about you with MLROs in other OKX Group entities where you hold accounts.
This sharing is subject to strict purpose limitation: it may only occur for AML/CFT compliance purposes and is limited to authorised Compliance personnel. It does not permit sharing for commercial, marketing, or other non-compliance purposes.
Account Restriction and Cross-Entity Freezing
Where an OKX Group entity is legally required to freeze or restrict your account under applicable sanctions legislation or regulatory direction:
The entity imposing the restriction will notify other OKX Group entities in which you hold accounts of the fact of the restriction and, to the extent legally permissible, its regulatory basis.
Each receiving entity will independently assess whether it is required under its own applicable law to impose a corresponding restriction. This is not an automatic process: each MLRO exercises independent legal judgment.
Sanctions obligations vary significantly between jurisdictions. A match under one jurisdiction’s list does not automatically create a legal obligation in another jurisdiction, but will trigger a review.
Legal Basis
Primary basis: Legal obligation (4AMLD Art. 45 group controls; applicable national AML law) (GDPR Art. 6(1)(c)).
Secondary basis: Legitimate interests in group-wide financial crime prevention (Art. 6(1)(f)). LIA available on request.
Biometric entity-matching: Substantial public interest (AML/CFT) (Art. 9(2)(g)), supplemented by applicable national implementing legislation. See Section 11.
9. DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES
OKX may disclose Personal Data to the following categories of recipients, in each case only to the extent necessary for the stated purpose and subject to appropriate contractual data protection obligations:
OKX Group companies: subsidiaries, holding companies, and affiliated entities - including for AML/CFT intra-group sharing as described in Section 8.
Identity verification processors: Au10tix, Jumio, and Sumsub - whose respective biometric data policies are linked in Section 11.
AML, fraud, and sanctions service providers: Refinitiv World-Check, Dow Jones Risk & Compliance, Moody’s, and equivalent providers.
Biometric entity-matching technology providers: EagleEye or equivalent, acting as data processors under Data Processing Agreements.
Payment processors and banking partners: entities facilitating fiat transfers and payment processing.
IT, infrastructure, and analytics providers: cloud hosting, data storage, customer support platforms, and analytics services.
Professional advisors: legal counsel, auditors, and compliance consultants.
Regulators, FIUs, and law enforcement: where required by applicable law, court order, or lawful regulatory request, including STR/SAR disclosures to Financial Intelligence Units.
Prospective acquirers: in the context of a merger, acquisition, or sale of all or part of OKX’s business, subject to confidentiality obligations.
OKX does not sell your Personal Data to third parties for their own commercial use. All third-party processors are subject to data processing agreements imposing data protection obligations at least equivalent to those in this Notice.
10. INTERNATIONAL DATA TRANSFERS
OKX operates globally and transfers Personal Data to countries other than the country in which it was collected. All international transfers are conducted subject to appropriate safeguards in accordance with Chapter V GDPR.
Transfers from the EEA
To countries with a European Commission adequacy decision: transfers proceed without additional safeguards.
To all other third countries (including the Seychelles): OKX relies on Standard Contractual Clauses (Module 1, Controller-to-Controller) under EU Commission Implementing Decision 2021/914/EU, supplemented by Transfer Impact Assessments (TIAs) where required.
For urgent, non-systematic transfers pending execution of SCCs (e.g. in AML/CFT escalation scenarios): Art. 49(1)(d) GDPR — transfer necessary for important reasons of substantial public interest (AML/CFT compliance). This derogation is relied upon only in circumstances described in Section 8 and for the minimum period necessary.
The OKX Group operates globally, and your Personal Data may be stored or processed in any country where we are licensed, maintain a presence, or engage service providers. All such transfers comply with applicable data protection law and your Personal Data is protected to the standards in this Notice. Courts, law enforcement, and regulatory authorities in those countries may have lawful access to your Personal Data.
A Transfer Impact Assessment has been conducted in relation to OKX Group transfers to the Seychelles, having regard to the Seychelles Data Protection Act 2023.
11. IDENTITY VERIFICATION AND BIOMETRIC DATA PRIVACY NOTICE
To comply with applicable laws, regulations, and other legal obligations in the EEA and in other countries, including “know your customer” obligations, we require all users to verify their identity before using our Services.
In order to verify a user’s identity for the use of certain Services, the user is asked to capture an image of their government ID (e.g., a passport or driver’s license) and take a real-time selfie image of their face. We provide those images to our identity verification service provider, who then uses a combination of machine learning tools and statistical algorithms to confirm the authenticity of the government ID and selfie image, and to perform biometric facial comparisons to determine whether the face contained in the government ID and selfie image belong to the same person. Through this process, the verification service provider will typically generate a confidence score representing the confidence level that the images of the individuals match, which we or the relevant service provider may use in determining the level of confidence that the individual submitting the selfie image is the same person as the individual on the government ID.
We do not receive, store, or collect any facial biometric information generated by our third-party identity verification service provider from the images, and our identity verification service provider retains biometric information only as long as necessary for us to provide our Service to you and to help us comply with our legal obligations. We do not use, disclose, or retain facial biometric information for any other commercial purpose. However, we do retain the information and images you provide in connection with the identity verification process, along with the results of the identity check, as long as necessary to provide our service to you and to comply with our legal obligations.
We currently use identity verification services provided by Sumsub. Each provider collects, processes, and shares your personal information, which may include biometric data, as set out in the Sumsub Privacy Notice.
12. DATA RETENTION
OKX retains your Personal Data only for as long as necessary for the purpose for which it was collected, or as required by applicable law. Where no statutory period applies, data is held only for as long as the original purpose requires, then securely deleted or irreversibly anonymised.
If you close your account with us, we will continue to retain your Personal Data as necessary to comply with our legal and regulatory obligations, including a minimum five-year post-relationship retention period under applicable AML/CFT legislation.
Retention periods may be extended where required by a legal hold, regulatory direction, or pending legal proceedings.
Personal Data may be transferred to, and stored or processed in, countries other than your country of residence. All such international transfers are conducted subject to lawful transfer mechanisms as described in Section 10.
13. INFORMATION SECURITY
OKX implements appropriate technical and organisational measures to protect Personal Data against unauthorised access, accidental loss, alteration, disclosure, or destruction (GDPR Art. 32). These measures include:
End-to-end encryption of platform communications using TLS 1.2 or higher;
Mandatory two-factor authentication (2FA) for all account access;
Role-based access controls limiting internal access to Personal Data on a need-to-know basis;
Audit logging of all cross-entity data access and sharing events (required for AML/CFT intra-group sharing);
Regular penetration testing and vulnerability assessments;
Secure disposal of Personal Data upon expiry of the applicable retention period.
For questions about information security or to report security issues, contact security@okx200.com with the subject ‘INFORMATION SECURITY REQUEST’.
14. YOUR RIGHTS
Subject to verification of your identity and applicable legal exceptions, you have the following rights under the GDPR. To exercise any right, visit the DSAR Portal.
Right | Description | AML/Tipping-Off Restriction |
Access (Art. 15) | Obtain confirmation of processing and a copy of Personal Data held, including information about the processing. Response within 30 days. | May be restricted where disclosure would prejudice an AML/CFT investigation or constitute tipping-off (4AMLD Art. 39). |
Rectification (Art. 16) | Request correction of inaccurate or completion of incomplete data. | Available in full; corrections do not affect independently formed risk assessments. |
Erasure (Art. 17) | Request deletion where processing no longer has a lawful basis. | Cannot apply where retention is required by AML/sanctions legislation (five-year minimum post-relationship retention applies). |
Restriction (Art. 18) | Request suspension of processing in specified circumstances. | May be overridden by legal obligation to continue AML/CFT processing. |
Portability (Art. 20) | Receive data in a structured, machine-readable format; transfer to another controller. | Applies to contractual/consent-based processing only; not to mandatory AML processing. |
Object (Art. 21) | Object to processing based on legitimate interest; absolute right to object to direct marketing. | Right to object does not apply where processing is necessary for legal compliance (AML/CFT). |
Automated Decisions (Art. 22) | Request human review; express view; contest decision. See Section 7. | Risk scoring incorporates mandatory human review. Entity-matching results require CDD team confirmation. |
Withdraw Consent (Art. 7(3)) | Withdraw consent for consent-based processing at any time without affecting the lawfulness of prior processing. | Not applicable to AML/CFT mandatory processing. |
Lodge Complaint (Art. 77) | Lodge a complaint with the competent supervisory authority in your EU Member State of habitual residence or work. | Applies in full; DPO escalation available first. |
While we endeavour to respond to requests free of charge, we reserve the right to charge a reasonable fee should your request be repetitive or unduly onerous (Art. 12(5) GDPR).
15. CONSENT WITHDRAWAL
Where OKX processes your Personal Data on the basis of consent, you may withdraw that consent at any time via:
Email: privacyoffice@okx200.com | Subject: ‘CONSENT WITHDRAWAL REQUEST’
Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
16. COOKIE POLICY
While you access our Site, we may use the industry practice of placing a small amount of data that will be saved by your browser (“Cookies”). We use Cookies to enhance your experience, collect and analyse Site usage data, and ensure compliance with our AML programme.
Category | Purpose | Consent Required | Duration |
Strictly Necessary | Session management, authentication, security, and fraud prevention. Cannot be disabled. | No | Session / 24h |
Performance / Analytics | Platform usage analysis, traffic measurement, and error identification. | Yes - CMP | 12 months |
Functional | Preference retention (language, region, display settings). | Yes - CMP | 12 months |
Targeting / Advertising | Relevant advertising on third-party platforms; marketing campaign measurement. | Yes - explicit | 6 months |
Manage cookie preferences via the Cookie Preference Centre. A full Cookie Notice listing each cookie by name, provider, purpose, and duration is available on the Site.
17. CHILDREN’S PERSONAL DATA
OKX does not knowingly offer Services to or collect Personal Data from individuals under the age of 18. If OKX becomes aware of inadvertent collection of a minor’s data, it will be promptly deleted. Notify us at privacyoffice@okx200.com if you are aware of a minor using our Service.
18. COMMUNICATIONS AND MARKETING
OKX will only send direct marketing communications with your prior consent (GDPR Art. 6(1)(a)). You may withdraw consent and opt out at any time via the unsubscribe link in any marketing communication or by contacting Customer Support at the Support Centre.
Service communications such as account notifications, policy updates, security alerts, and transaction confirmations are sent on the basis of contract performance or legal obligation (Arts. 6(1)(b) and 6(1)(c)) and cannot be opted out of during an active account.
We may share Personal Data with third parties to assist with marketing and promotional projects. Such third parties act as processors and are subject to data processing agreements.
19. DATA PROTECTION OFFICER AND SUPERVISORY AUTHORITY
OKX has designated a Group Data Protection Officer (DPO) responsible for overseeing data protection compliance across the OKX Group. The DPO may be contacted at:
Email: privacyoffice@okx200.com
Ioannis Giannakakis | OKX Europe Limited | Piazzetta Business Plaza, Office Number 4, Floor 2, Triq Ghar il-Lembi, Sliema, SLM 1562, Malta.
EEA residents have the right to lodge a complaint with the competent data protection supervisory authority in their EU Member State of habitual residence, place of work, or place of the alleged infringement (GDPR Art. 77). The lead supervisory authority for OKX Europe Limited is the Information and Data Protection Commissioner (IDPC) of Malta.
20. CHANGES TO THIS PRIVACY NOTICE
OKX will notify you of material changes to this Notice by: (a) email notification at least 30 days prior to the change taking effect; and (b) a prominent platform notice for at least 30 days. Non-material changes (typographical errors, updated contact details) may be made without prior notice. The effective date at the top of this Notice will be updated to reflect all revisions. Where a change requires fresh consent, it will be obtained separately before the change takes effect.
21. CONTACT US
For any questions about this Notice or the use of your Personal Data, contact us with the subject ‘PRIVACY REQUEST’ via:
Email: privacyoffice@okx200.com
Post: OKX Europe Limited, Piazzetta Business Plaza, Office Number 4, Floor 2, Triq Ghar il-Lembi, Sliema, SLM 1562, Malta.
22. LANGUAGES
This Notice may be posted in different languages. In the event of any discrepancy, the English version shall prevail.